On Fri, May 20, 2005 at 05:59:55AM -0700, traef06@xxxxxxxxxxxxxxxxxx wrote:
> I am trying to put together a system with Debian 2.6 kernel, iptables 1.3.1, squid and snort all on one box.
> (it's for a very small network 8 - 10 PCs)
>
> My question is this, if I put this into my iptables rules;
>
> iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.1 -p tcp --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
>
> will this traffic then pass through the OUTPUT chain before it leaves the firewall so then I can put:
>
> iptables -A OUTPUT -p tcp --dport 80 -j QUEUE
yes.
> after the above so that snort-inline will monitor all outgoing port 80 traffic after it's been "squidded"?
>
> Please help with any other suggestions on how to do this better.
i'm not sure what you're looking to accomplish by snort-ing the web
browsing traffic of your users. the vast majority of snort HTTP rules
are written to detect attacks against web servers. so normally, you'd
be using snort to monitor traffic to your web servers, not from your
clients' web browsers. if you have an unruly, attack-prone user-base
that you're trying to hinder from pestering the rest of the Internet--I
applaud you. if you're trying to save your users from their own
stupidity, you'd probably be better off writing some ACL's directly in
your squid conf.
-j
--
"Stewie: What the hell is this?
Lois: Stewie that's tuna salad.
Stewie: Really? I could have sworn it was cat food."
--Family Guy
